Tuesday, January 20, 2009

Samba vs Active Directory: NFL vs High School?

Don Jones posted a nice blog comment about some of the issues involved with choosing an open source alternative to Active Directory while maintaining authentication interoperability (say that ten times fast!) with Windows clients.  I agree with this comments, but he forgot one of THE most powerful aspects of AD: Group Policy.  

There's nothing truly like Group Policy in the Linux world that I've found.  There are some open source projects that mimick certain aspects, but nothing matches it completely.  People try to put Group Policy into a logical "box" as a one-trick pony.  Usually saying that it's only used to "deploy settings" or "install software", but it's much more than that.  

The integration of Group Policy with LDAP structures (OU's) and object classes, WMI filtering, Inheritence and Blocking, Modeling tools,  RSoP tools, and the more recent addition of Group Policy Preferences and Powershell cmdlets, all make Group Policy a serious force to recon with on its own.  It's unfair, and woefully inaccurate, to compare AD with Samba unless you restrict the discussion to nothing more than authentication (e.g. Kerberos and NTLM, etc.).  I mean, as far as using Samba for AD authentication is concerned: you can, but why?  If you're working in an environment that feels the need for central authentication (and more) and you can't afford a license of Windows Server, you're in really bad shape.
Post a Comment